International Journal of Management (IJM)

Volume 12, Issue 2, February 2021, pp.583-592, Article ID: IJM_12_02_057

Available online at http://www.iaeme.com/IJM/issues.asp?JType=IJM&VType=12&IType=2
ISSN Print: 0976-6502 and ISSN Online: 0976-6510
DOI: 10.34218/IJM.12.2.2021.057

© IAEME Publication Scopus Indexed

ROLE OF MACHINE LEARNING TECHNIQUES IN

DIGITAL FORENSIC INVESTIGATION OF
BOTNET ATTACKS
Nosheen Manzoor
Department of informatics, University of Management and Technology
Lahore, Pakistan

Muzahir Saleem
Department of Computer science, University of Engineering and Technology
Lahore, Pakistan

Dr. Muhammad Aslam

Department of Computer science, University of Engineering and Technology
Lahore, Pakistan

Haseeb Manzoor
Department of Analytics, Dublin Business School, Ireland

ABSTRACT
Digital forensic is used to investigate digital crime. Cyber Attacks through botnets become
the most dangerous attacks on the internet. Digital Forensic investigation of the Botnets
attacks is challenging. Attackers are growing with the ability to arrange more complex attacks
using Botnets. It is necessary to strengthen the digital forensic to deal with such attacks.
Machine learning plays an important role in network forensics and detecting these kinds of
botnet attacks in an efficient manner and in less time. Different network forensic techniques
used machine learning algorithms. Machine learning algorithms are not only used to detect
but also used to prevent Botnet attacks. survey of the different Botnet attacks and digital
forensic investigation techniques to deal with the botnet attacks has been presented in this
paper. there is a need for a standard framework for forensic analysis of Botnet detection to
present the evidence in the court of law. Different network forensic techniques has also been
discussed in the paper.
Key words: Botnet Forensics, Machine Learning, Network Forensics, Honey Pots, Deep
Packet Inspection, Machine Learning Algorithms
Cite this Article: Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb
Manzoor, Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet
Attacks, International Journal of Management, 12(2), 2021, pp 583-592.
http://www.iaeme.com/IJM/issues.asp?JType=IJM&VType=12&IType=2

http://www.iaeme.com/IJM/index.asp 583 editor@iaeme.com

 Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet Attacks

1. INTRODUCTION
In this Modern era where everything is interconnected with the help of networking cybercrime is also
increasing day by day. In this cyber world, it is important to know or trace the actions of different
users to control cyber-crime. To proof the digital crime in a court of law it is important to dig out the
pieces of evidence by deploying intelligent systems to trace the user’s behavior or actions. As the
Black hat community is famous for doing malicious activities to harm the users and Botnet is the
trending threat for today’s digital world.
The botnet is a combination of malware-infected devices their main function is to generate more
Bots continuously. A Botnet performs controlled functions commanded by the controller. [1] Botnet
detection is a serious issue in digital forensics. Now machine learning algorithms are used to detect
Botnet activities.
SVM (Support Vector Machine) and packet histogram techniques can be used to improve Botnet
detection [2]. KNN model can be used to analyze and textual Spam e-mail [3].to extract the
knowledge summarization technique is used by the author.[4]
Narang et al. [5] suggested a framework for the architecture of P2P botnet traffic detection. To
process every single pair of node machine learning algorithms are used by the author. Barathkur et
al. [6] differentiate the normal P2P and P2p traffic for binary classification. The author classified the
P2P data by applying the SVM Algorithm, combining both web-based and P2P traffic Alexey Kiselev
et a. [7], reported in 2019 about the 32% increase in attacks in the second half of 2019, and only half
of those attacks have been identified. In 2019 a DDOS attack was accomplished which was lasts up
to 509 hours or 21 days and these attacks generated magnificent security risks [8]. The main problem
in conducting the forensic investigation is that no standard network forensic technique has been
evolved that can identify and trace the attack behavior [9]. Many researchers have used machine
learning algorithms for DDOS detection but the problem is that all these need much time for execution
and still have ambiguity in the investigation of botnets attacks [10].

2. BOTNETS
This section highlights the background, architecture, malicious activities, and attacks performed by
botnets.

2.1 Background of Botnets

Botnets were evolved in 1999 when Trojan and worm named Sub7 and Pretty Park were used to infect
the machines. Both of them were used to connect the victim machine with the IRC Channel to execute
malicious commands. In 2000 Global Bot (GTbot). This Botnet uses mIRC clients and this client
support to run different customized scripts and these scripts depend upon the IRC commands.[11]
SDBot and Agobot were introduced in 2002. Agobot was an advanced botnet then SDBot, SDBot
was developed using C++ and it was a simple binary file. AgoBot works in three steps.1) It installs a
backdoor in the machine2) it instantly disables the antivirus of the victim machine 3) It does not allow
the machine’s browsers to access the well-known security retailer. After doing changes in SDBot a
new bot named Spybot was created in 2003. Spybot was able to do keylogging, instant messaging,
and data mining. In 2003 RBot was also launched. The robot was capable enough to launch a DDOS
attack. It was difficult to detect this Botnet because it used compression and encryption
techniques.[12] With the development of IoT, Botnet IoT is the further step for Botnet attacks. First
IOT based Botnets were launched in 2016 named Mirai [22]. It successfully launched the most
powerful DDOS attack in the history of the Internet. The chart of country-wise infected devices is
shown in fig 1.[23]

http://www.iaeme.com/IJM/index.asp 584 editor@iaeme.com

 Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb Manzoor

Figure 1 Chart of country-wise infected devices by Botnet attacks

Some famous Botnets with their features are described in table 1.

Table 1 Showing famous Botnets and their features [20]21[22]23[24]

Sr.No Famous Botnets Year Main Functions
1. Sub7, Pretty Park 1999 when Trojan and worm named Sub7 and Pretty Park were
used to infect the machines. Both of them were used to
connect the victim machine with the IRC Channel to execute
malicious commands
2. GTBot,agoBot 2000 This Botnet uses mIRC clients and this client support to run
different customized scripts and these scripts depend upon the
IRC commands Agobot was an advanced botnet then SDBot,
SDBot was developed using C++ and it was a simple binary
file.
3. SpyBot, RBot 2003 Spybot was able to do keylogging, instant messaging, and
data mining
The robot was capable enough to launch a DDOS attack. It
was difficult to detect this Botnet because it used compression
and encryption techniques
4. Bagle,Bobax 2004
5. Zeus, ZBot 2006 Zeus was a trojan that steals the credentials. [13] the version
launched in 2011 was able more advanced which uses
encryption in P2P architecture instead of using IRC channel.
[14]
Koobface 2009 The first malware developed to hit social media[15][16][17].
A single Koobface has its binary split into many other
segments and each segment performs its functionality.[18]
Windigo 2011
Linux/Ebury 2014 It creates a back door and steals the credentials. After stealing
information, it does not leave any information in the log file.
It changes the SSH binary code at runtime.[19]
Mirai Botnet 2018

2.2 Botnet Architecture

A Bot is a computer program that infects the host machine and makes it part of Botnet. [20][21].
Bonet is a malware that is different from other malware as it creates a channel between the infected
host and its creator for communication and issuing commands, Botnets uses two basic propagation
techniques 1) Active and 2) Passive.
In Active propagation this malware scans the network to find out the vulnerabilities in the
machines connected in the network, it exploits the vulnerable machines and makes it part of the Bonet

http://www.iaeme.com/IJM/index.asp 585 editor@iaeme.com

 Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet Attacks

while in passive propagation method needs a user to approach the sites, or click on the emails and
spams to download the malware into the machines to make it part of the Botnet[20][24]. In Botnet
architecture, Botmaster is the controller who issues and receives commands from the infected hosts.
as shown in fig 2. This infrastructure is called Command and control (C&C).C&C has many different
types including 1) P2P 2) Centralized 3)Hierarchal 4) Hybrid [24][25]. The centralized infrastructure
of Botnet uses HTTP protocol and IRC to send and receive commands [25][21].

Figure 2 Botnet architecture

In P2P infrastructure all the bots perform the functionalities of the C&C server or as a client bot
which performs their activities in the support of Botmaster. It's quite difficult to take down this
architecture because affecting one host means deactivating only a few hosts or devices of Botnet [20].

Figure 3 P2P infrastructure of Botnets

A hybrid architecture is a blended version of P2P and centralized architecture having the positive
points of both the architecture.[26]
In hybrid architecture, the super-visor holds communication between different supervisors. In this
architecture, supervisor-BOT make the botnet harder to detect by keeping all the information and
preventing exposure of the Botnet. Every supervisor-Bot maintains a list of their peer community and
they keep it a secret from other bots. The structure of Hybrid architecture is shown in fig3.

http://www.iaeme.com/IJM/index.asp 586 editor@iaeme.com

 Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb Manzoor

Figure 4 Hybrid Botnet architecture

3. DIGITAL FORENSIC
Digital forensics is the affair of precise spot and gathering electronic information that is saved in
digital devices, preserving and analyzing the information, and submitting it to the court as evidence.
Depending on the subject of analysis, digital forensics includes disk forensics, system forensics,
network forensics, Internet forensics, mobile forensics, database forensics, and cryptographic
forensics [df1 (Jae-Ung Lee & Woo-Young Soh, 2020, #)

3.1 Evolution of Digital Forensics

As in this digital era, cybercrime is expanding every day. It is necessary to take adequate actions by
law enforcement agencies to tackle cyber-crime and here comes digital forensics. Digital forensics
was developed in 1984 when the FBI started programs in their laboratories to investigate crimes done
by using computers.[27][28].
With the advancement and development of digital forensic different standards and definitions and
digital forensics investigating models have been evolved. Many digital forensic investigation models
have some common stages but they are developed to investigate different distinct crimes in different
scenarios.[28]
Kaur and A. Kaur et al[ 27]. “The use of scientifically derived and proven methods toward the
preservation, validation, identification, analysis, interpretation, documentation and presentation of
digital evidence derived from digital sources to facilitate or further the reconstruction of events found
to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned
operations”.
In the 1st DFWR (Digital Forensic Research Workshop in 2001 digital forensic model was
proposed and it was named the DFRWS investigation Model, It consists of six different stages named
Identification, Preservation, Collection, Examination, Analysis, and Presentation [27].
The first stage is known as Identification used to pick out the main source of the crime. [28]. The
second phase /stage is known as the preservation stage. In this phase, a proper case is established by
maintaining a chain of custody. in this stage, it is also ensured that no temptation has been made in
data collection. The 3rd phase is the collection phase in which digital forensic investigators collect
the important data identified in the previous stage by using different tools and techniques. The next
two phases are very important named as Examination and analysis, evidences have been traced and
collected from the previously collected data by data mining and other techniques to prove the crime

http://www.iaeme.com/IJM/index.asp 587 editor@iaeme.com

 Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet Attacks

in the court of law. The last phase is the presentation phase which is used to document all the
evidence/reports/data from the start of the investigation to the presentation in the court.[27]

3.2 Network Forensics

Network forensics is a new and emerging field to detect and find out the pieces of evidence to present
in the court of law to perform malicious activities using the internet or networks as a source like
DDOS attack and data stealing. [3]. The in-network forensics life span of the evidence is very short
because data and information packets are sent from one device to another. Many tools and techniques
for network forensics have been evolved during the last many years to find out the evidence [30][29],
[31].
Intrusion detection systems and Honeypots are well-known developments in network forensic
tools [32][33][34].

4. NETWORK FORENSIC TECHNIQUES FOR BOTNET INVESTIGATION

Network forensics, a new and emerging branch of digital forensics that deals with network-related
proofs and is investigated in the form of logs, network flows, and packets. This section deals with the
Network Forensic methodologies to detect and analyze Botnets and their malicious activities. The
following methods are used in investigating botnets.

4.1 Honeypots
Honeypots are simulated devices and these devices perform their functions in a controlled virtual
setup. Honeypots fascinate the attackers and malware-infected bots. Honeypots have two different
types1) Low interaction honeypots and 2) High interaction honeypots used to gather information by
imitating the complete system (e.g windows and Linux) etc. The main advantage of Honeypots is that
all attacks, malware infections, and unauthorized access attempts are automatically logged by the
operators of honeypots to make prediction patterns for future use. [35] [36][37][38][39][40].
Pham and Dacier proposed low interaction honeypot systems whose main focus is to develop a
system that automatically identifies Botnet attacks from large datasets.[40]. Kumar et al. [36]
suggested a honeynet architecture that is completely automated and can also reconfigure itself. Mittal
and Singh developed a methodology to find out the rules of the Intrusion Detection System from the
collection of Honeypots data.[37].
Paradise et al. [39] proposed a tool named ProfileGen. This tool was used to authentic and
appealing social profiles as honeypots and attackers attract towards these profiles. Jeong et al.[35]
has worked to handle or to investigate the wide-range events. The author has proposed a Bitmap-
based Widespread Event detection protocol. Agents and coordinators exchange these bitmaps with
each other than by the end these bitmaps are used to identify and categorize the widespread events.

4.2 Deep Packet Inspection

Deep Packet Inspection is a packet sniffing/inspection method that gives a detailed inspection of the
data packet that is sent over the network to identify the malicious content in the packet. The main
issue it raises is the confidentiality of the data when trying to analyze encrypted data. So, it is unable
to detect the Zero-day malware. Deep packet inspection is still used nowadays to collect more
information about the data packet by scanning the content of the packets [41].
Chen et al. [42] suggested a security management system that is cloud-based. It uses cloud storage
infrastructure and its processing to perform a forensic investigation on collected network traffic data,
especially SPAM incidents. Researchers used CNSMS(Collaborative Security Management System
and it manages the security responsibilities of four different networks. It used NetSecu nodes for
monitoring network traffic.

http://www.iaeme.com/IJM/index.asp 588 editor@iaeme.com

 Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb Manzoor

5. MACHINE LEARNING ROLE IN BOTNET FORENSICS

Detection of botnet traffic using a machine learning algorithm is one of the important and prominent
ways of botnet detection.[5] Machine learning algorithms/approaches are used to detect the botnet
traffic pattern which is not possibly detected by other techniques because botnets produce
distinguishable traffic.ML approaches have benefits over normal anomy-based and signature-based
techniques.[47]
Strayer et al. [48] exhibit first time supervised machine learning algorithm for botnet detection.
The author has formulated the botnet detection technique for IRC botnets. The author used TCP flows
classification with a supervised machine learning algorithm to carryout multi-phase traffic analysis.
The author used three MLAs for every classification 1) Naïve Bayesian, Bayesian network, and
C4.5decision tree. This technique used TCP traffic for IRC communication.
Masud et al. [49] suggested the flow-based malicious botnet detection technique. The proposed
technique has used the host level forensic and DPI (Deep Packet Inspection) to get the traffic features
for IRC botnet and TCP flows. Five classifiers have been used in this technique 1) Naïve Bayesian
2) Bayesian network 3) Support vector Machine 5) C4.5 decision tree 5) Boosted decision tree and
C4.5 classifier gives the accuracy up to 98%. The author used client-level forensics and Deep packet
inspection for extracting traffic flow features.
Saad et al. [50] suggested a framework for P2P botnet detection using host and flow-based traffic
features. The author used the following supervised MLAs 1) Nearest neighbors 2) Naive Bayesian 3)
Support Vector Machine (SVM) 4) Artificial Neural Networks (ANN) 5) Gaussian-based classifier.
By using SVM author achieved accuracy up to 97%. The author achieved these results within the
time constraints using different MLAs.
The following table shows the different researches done on Forensic analysis of Botnet detection.

Table 2 Showing different researches done on Forensic analysis of Botnet detection

Sr.No Author Machine Learning Algorithm Dataset Proposed network Accuracy
forensic framework
1. Masud et al. Naïve Bayesian Bayesian SDBot, host-level forensic 98%
[49] network Support vector Machine RBot and DPI (Deep
C4.5 decision tree Packet Inspection)
2. Saad et al. [50] Nearest Neighbors Classifier Storm - 97%
Linear Support Vector Machine Botnet
Artificial Neural Network Walowdac
Gaussian Based Classifier Naive Bot
Bayes classifier
3. Anchit DT KNN SVM Voting Bagging ISCX Botnet Inquisition 98.3%
Bijlawan[43] is an ensemble classifier Model
4. [44] Decision tree C4.5, Naïve Bayes, Bot-IoT CorrAUC 99%
Muhammad Rforest, SVM Data Set
Shafiq,
Zhihong Tian
5. [45] Rizky, Decision tree C4.5 Bot-IoT Application using 88% with
Niken C4.5 full
features
of data
set

6. CONCLUSION
In this survey paper, we tried to explore the effect of a Machine learning algorithm in the forensic
investigation of malicious Botnet detection. Initially, we furnish this paper with the background of
the Botnet, Digital Forensics, and Network forensics methods for investigating Botnets. The network
Forensic methods discussed in this paper were Honeypots, Deep Packet Inspection, Network flow.
Then we discussed the role of a Machine learning algorithm in improving the results of the detection

http://www.iaeme.com/IJM/index.asp 589 editor@iaeme.com

 Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet Attacks

of Botnets. In the field of forensic analysis of Botnet detection limited work has been done. A
significant amount of work on detection of Botnet with a Machine learning algorithm has been done
but there is a need for a standard framework for forensic analysis of Botnet detection to present the
evidence in the court of law.

REFERENCES
[1] A. Bijalwan, V. K. Solanki, and E. S. Pilli, “Botnet forensic: issues, challenges, and good practices,”
Network Protocols and Algorithms, vol. 10, no. 2, 2018.

[2] S. Kondo and N. Sato, “Botnet traffic detection techniques by C & C session classification using
SVM,” in Proceedings of the International Workshop on Security, Vienna, Austria, September 2007.

[3] R. M. Alguliev, R. M. Aliguliyev, and S. A. Nazirova, “Classification of textual e-mail spam using
data mining techniques,” Applied Computational Intelligence and Soft Computing, vol. 2011, Article
ID 416308, 8 pages, 2011.

[4] S. Garg, A. K. Singh, A. K. Sarje, and S. K. Peddoju, “Behaviour analysis of machine learning
algorithms for detecting P2P botnets,” in Proceedings of the 15th international conference on
Advanced computing technologies (ICACT), Rajampet, India, September 2013

[5] P. Narang, V. Khurana, and C. Hota, “Machine-learning approaches for P2P botnet detection using
signal-processing techniques,” in Proceedings of the 8th ACM International Conference on Distributed
Event-Based Systems, pp. 338–341, Mumbai, India, May 2014.

[6] P. Barthakur, M. Dahal, and M. K. Ghose, “A framework for P2P botnet detection using SVM,” in
Proceedings of the International Conference on Cyber-Enabled Distributed Computing and
Knowledge Discovery (CyberC), p. 195_0, Sanya, China, October 2012.

[7] E. Sulaeman, “Kaspersky: Serangan ddos melonjak selama kuartal kedua 2019,”
https://cyberthreat.id/read/1989/Kaspersky-Serangan- DDoS-Melonjak-Selama-Kuartal-Kedua-2019/
, 2019, online; Accessed 18 August 2019.

[8] W. Lee, C. Wang, and D. Dagon, Botnet detection: countering the largest security threat. Springer
Science & Business Media, 2007.

[9] R. T. Wiyono and N. D. W. Cahyani, "Performance Analysis of Decision Tree C4.5 as a Classification
Technique to Conduct Network Forensics for Botnet Activities in Internet of Things," 2020
International Conference on Data Science and Its Applications (ICoDSA), Bandung, Indonesia, 2020,
pp. 1-5, doi: 10.1109/ICoDSA50139.2020.9212932.

[10] A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust malware detection for internet of
(battlefield) things devices using deep eigenspace learning,” IEEE Transactions on Sustainable
Computing, vol. 4, no. 1, pp. 88–95, 2018

[11] Ferguson R (2015) The history of botnet—part http://countermeasures.trendmicro.eu/the-history-of-

the-botnet-part-i/. Updated 24 Sept 2010. Accessed 20 July 2015

[12] Atluri A.C., Tran V. (2017) Botnets Threat Analysis and Detection. In: Traoré I., Awad A., Woungang
I. (eds) Information Security Practices. Springer, Cham. https://doi.org/10.1007/978-3-319-48947-6_2

[13] Andriesse D, Bos H (2014) An analysis of the ZeuS peer-to-peer protocol. IR-CS-74, rev

[14] Falliere N, Chien E (2009) Zues: King of the bots. Symantec Corporation, Cupertino, CA

[15] Baltazar J, Costoya J, Flores R (2009) The real face of KOOBFACE: the largest web 2.0 botnet
explained. Trend Micro Threat Research
http://www.iaeme.com/IJM/index.asp 590 editor@iaeme.com
 Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb Manzoor

[16] Thomas K, Nicol DM (2010) The Koobface botnet and the rise of social malware. Proceedings of the
5th IEEE International Conference on Malicious and Unwanted Software, Malware, 2010, pp 63–70

[17] Sophos Press Release (2007) Sophos Facebook ID probe shows 41% of users happy to reveal all to
potential identity thieves. https://www.sophos.com/en-us/press-office/press-releases/ 2007/08/
facebook.aspx

[18] Fortinet White Paper (2013) Anatomy of a botnet. Fortinet, Sunnyvale. www.fortinet.com SANS
Institute InfoSec Reading Room (2015) Defense in depth. https://www.sans.org/readingroom/
whitepapers/basics/defense-in-depth-525. Accessed 30 July 2015

[19] Bilodeau O, Bureau P, Calvet J et al (2015) Operation Windigo. http://www.welivesecurity.com/ wp-

content/uploads/2014/03/operation_windigo.pdf. Accessed 22 July 2015

[20] S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam, ``A taxonomy of botnet behavior,
detection, and defense,'' IEEE Commun. Surveys Tuts., vol. 16, no. 2, pp. 898_924, 2nd Quart., 2014.

[21] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, ``Botnets: A survey,'' Comput. Netw.,
vol. 57, no. 2, pp. 378_403, 2013

[22] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, ``DDoS in the IoT:Mirai and other botnets,''
Computer, vol. 50, no. 7, pp. 80_84, 2017.

[23] https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/

[24] N. Negash and X. Che, ``An overview of modern botnets,'' Inf. Secur. J., Global Perspective, vol. 24,
nos. 4_6, pp. 127_132, 2015.

[25] A. Bijalwan, M. Thapaliyal, E. S. Pilli, and R. C. Joshi, ``Survey and research challenges of botnet
forensics,'' Int. J. Comput. Appl., vol. 75,no. 7, pp. 43_50, 2013.

[26] Ullah, Ihsan & Khan, Naveed & Aboalsamh, Hatim. (2013). Survey on botnet: Its architecture,
detection, prevention and mitigation. 660-665. 10.1109/ICNSC.2013.6548817.

[27] R. Kaur and A. Kaur, ``Digital forensics,'' Int. J. Comput. Appl., vol. 50, no. 5, pp. 59, 2012.

[28] Y. Yusoff, R. Ismail, and Z. Hassan, ``Common phases of computer forensics investigation models,''
Int. J. Comput. Sci. Inf. Technol., vol. 3, no. 3, pp. 1731, 2011.

[29] S. Khan, A. Gani, A. W. A. Wahab, M. Shiraz, and I. Ahmad, ``Network forensics: Review, taxonomy,
and open challenges,'' J. Netw. Comput. Appl., vol. 66, pp. 214_235, May 2016.

[30] R. Hunt and S. Zeadally, ``Network forensics: An analysis of techniques, tools, and trends,'' Computer,
vol. 45, no. 12, pp. 36_43, Dec. 2012.

[31] N. Moustafa and J. Slay. (2017). ``RCNF: Real-time collaborative network forensic scheme for
evidence analysis.'' [Online]. Available: https://arxiv.org/abs/1711.02824

[32] [32] M. Keshk, N. Moustafa, E. Sitnikova, and G. Creech. (2017). ``Privacy preservation intrusion
detection technique for SCADA systems.'' [Online]. Available: https://arxiv.org/abs/1711.02828

[33] N. Koroniotis, N. Moustafa, E. Sitnikova, and J. Slay. (2017). ``Towards developing network forensic
mechanism for botnet activities in the IoT based on machine learning techniques.'' [Online]. Available:
https://arxiv.org/abs/1711.02825

[34] Moustafa, J. Slay, and G. Creech, ``Novel geometric area analysis technique for anomaly detection
using trapezoidal area estimation on largescale networks,'' IEEE Trans. Big Data, to be published

http://www.iaeme.com/IJM/index.asp 591 editor@iaeme.com

 Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet Attacks

[35] J. Jeong, S. M. A. Naqvi, and M. Yoon, ``Accurate and communicationef _cient detection of
widespread events,'' IEEE Access, vol. 6, pp. 61728_61734, 2018.

[36] S. Kumar, P. Singh, R. Sehgal, and J. S. Bhatia, ``Distributed honeynet system using gen III virtual
honeynet,'' Int. J. Comput. Theory Eng., vol. 4, no. 4, pp. 537_541, 2012.

[37] S. Mittal and R. Singh, ``A support vector approach for formulating IDS rules using honeypot data,''
Adv. J. Comput. Sci. Eng., vol. 4, pp. 1_5, Jun. 2016.

[38] N. Naik, P. Jenkins, R. Cooke, and L. Yang, ``Honeypots that bite back: A fuzzy technique for
identifying and inhibiting _ngerprinting attacks on low interaction honeypots,'' in Proc. IEEE Int. Conf.
Fuzzy Syst. (FUZZIEEE), Jul. 2018, pp. 1_8.

[39] A. Paradise, D. Cohen, A. Shabtai, and R. Puzis. (2018). ``Generation of automatic and realistic
arti_cial pro_les.'' [Online]. Available:https://arxiv.org/abs/1807.00125

[40] V.-H. Pham and M. Dacier, ``Honeypot trace forensics: The observation viewpoint matters,'' Future
Gener. Comput. Syst., vol. 27, no. 5, pp. 539_546, 2011.

[41] N. Koroniotis, N. Moustafa and E. Sitnikova, "Forensics and Deep Learning Mechanisms for Botnets
in Internet of Things: A Survey of Challenges and Solutions," in IEEE Access, vol. 7, pp. 61764-
61785, 2019, doi: 10.1109/ACCESS.2019.2916717.

[42] Z. Chen, F. Han, J. Cao, X. Jiang, and S. Chen, ``Cloud computing-based forensic analysis for
collaborative network security management system,'' Tsinghua Sci. Technol., vol. 18, no. 1, pp. 40_50,
Feb. 2013.

[43] Anchit Bijalwan, "Botnet Forensic Analysis Using Machine Learning", Security and Communication
Networks, vol. 2020, Article ID 9302318, 9 pages, 2020. https://doi.org/10.1155/2020/9302318

[44] M. Shafiq, Z. Tian, A. K. Bashir, X. Du and M. Guizani, "CorrAUC: a Malicious Bot-IoT Traffic
Detection Method in IoT Network Using Machine Learning Techniques," in IEEE Internet of Things
Journal, doi: 10.1109/JIOT.2020.3002255.

[45] R. T. Wiyono and N. D. W. Cahyani, "Performance Analysis of Decision Tree C4.5 as a Classification
Technique to Conduct Network Forensics for Botnet Activities in Internet of Things," 2020
International Conference on Data Science and Its Applications (ICoDSA), Bandung, Indonesia, 2020,
pp. 1-5, doi: 10.1109/ICoDSA50139.2020.9212932.

[46] S. S. Silva, R. M. Silva, R. C. Pinto, and R. M. Salles, “Botnets: A survey,” Computer Networks, vol.
57, no. 2, pp. 378 – 403, 2013

[47] M. Stevanovic and J. Pedersen, “Machine learning for identifying botnet network traffic,” Aalborg
University, Tech. Rep., 2013.

[48] Strayer W.T., Lapsely D., Walsh R., Livadas C. (2008) Botnet Detection Based on Network Behavior.
In: Lee W., Wang C., Dagon D. (eds) Botnet Detection. Advances in Information Security, vol 36.
Springer, Boston, MA. https://doi.org/10.1007/978-0-387-68768-1_1

[49] M. M. Masud, T. Al-khateeb, L. Khan, B. Thuraisingham and K. W. Hamlen, "Flow-based

identification of botnet traffic by mining multiple log files," 2008 First International Conference on
Distributed Framework and Applications, Penang, 2008, pp. 200-206, doi:
10.1109/ICDFMA.2008.4784437.

[50] S. Saad et al., "Detecting P2P botnets through network behavior analysis and machine learning," 2011
Ninth Annual International Conference on Privacy, Security and Trust, Montreal, QC, 2011, pp. 174-
180, doi: 10.1109/PST.2011.5971980.

http://www.iaeme.com/IJM/index.asp 592 editor@iaeme.com